diff options
| author | Victor Hsieh <victorhsieh@google.com> | 2022-09-14 17:50:59 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2022-09-14 17:50:59 +0000 |
| commit | 7942ba9a1e65d566e7b3c16aa7a55852842ea6b1 (patch) | |
| tree | b09f41549caefc5417f756d7e5e6566065fee1cc | |
| parent | e986ab203808e03bb9180f89c236055a62dbe257 (diff) | |
| parent | 8c54b9a54b1846c272132d5418bd8261c8d37328 (diff) | |
| download | build-7942ba9a1e65d566e7b3c16aa7a55852842ea6b1.tar.gz | |
Merge "Revert "Generate fs-verity build manifst APK for other partitions""
| -rw-r--r-- | core/Makefile | 139 | ||||
| -rw-r--r-- | core/product.mk | 15 |
2 files changed, 55 insertions, 99 deletions
diff --git a/core/Makefile b/core/Makefile index cf40959558..0accfb6df9 100644 --- a/core/Makefile +++ b/core/Makefile @@ -599,7 +599,7 @@ $(APKCERTS_FILE): $(if $(PACKAGES.$(p).EXTERNAL_KEY),\ $(call _apkcerts_write_line,$(PACKAGES.$(p).STEM),EXTERNAL,,$(PACKAGES.$(p).COMPRESSED),$(PACKAGES.$(p).PARTITION),$@),\ $(call _apkcerts_write_line,$(PACKAGES.$(p).STEM),$(PACKAGES.$(p).CERTIFICATE),$(PACKAGES.$(p).PRIVATE_KEY),$(PACKAGES.$(p).COMPRESSED),$(PACKAGES.$(p).PARTITION),$@)))) - $(if $(filter true,$(PRODUCT_FSVERITY_GENERATE_METADATA)),\ + $(if $(filter true,$(PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA)),\ $(call _apkcerts_write_line,$(notdir $(basename $(FSVERITY_APK_OUT))),$(FSVERITY_APK_KEY_PATH).x509.pem,$(FSVERITY_APK_KEY_PATH).pk8,,system,$@)) # In case value of PACKAGES is empty. $(hide) touch $@ @@ -2933,35 +2933,21 @@ $1 endef +# ----------------------------------------------------------------- +# system image + # FSVerity metadata generation # Generate fsverity metadata files (.fsv_meta) and build manifest -# (<partition>/etc/security/fsverity/BuildManifest.apk) BEFORE filtering systemimage, vendorimage, -# odmimage, productimage files below. -ifeq ($(PRODUCT_FSVERITY_GENERATE_METADATA),true) +# (system/etc/security/fsverity/BuildManifest.apk) BEFORE filtering systemimage files below +ifeq ($(PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA),true) -fsverity-metadata-targets-patterns := \ +# Generate fsv_meta +fsverity-metadata-targets := $(sort $(filter \ $(TARGET_OUT)/framework/% \ $(TARGET_OUT)/etc/boot-image.prof \ $(TARGET_OUT)/etc/dirty-image-objects \ $(TARGET_OUT)/etc/preloaded-classes \ - $(TARGET_OUT)/etc/classpaths/%.pb \ - -ifdef BUILDING_SYSTEM_EXT_IMAGE -fsverity-metadata-targets-patterns += $(TARGET_OUT_SYSTEM_EXT)/framework/% -endif -ifdef BUILDING_VENDOR_IMAGE -fsverity-metadata-targets-patterns += $(TARGET_OUT_VENDOR)/framework/% -endif -ifdef BUILDING_ODM_IMAGE -fsverity-metadata-targets-patterns += $(TARGET_OUT_ODM)/framework/% -endif -ifdef BUILDING_PRODUCT_IMAGE -fsverity-metadata-targets-patterns += $(TARGET_OUT_PRODUCT)/framework/% -endif - -# Generate fsv_meta -fsverity-metadata-targets := $(sort $(filter \ - $(fsverity-metadata-targets-patterns), \ + $(TARGET_OUT)/etc/classpaths/%.pb, \ $(ALL_DEFAULT_INSTALLED_MODULES))) define fsverity-generate-metadata @@ -2975,80 +2961,47 @@ endef $(foreach f,$(fsverity-metadata-targets),$(eval $(call fsverity-generate-metadata,$(f)))) ALL_DEFAULT_INSTALLED_MODULES += $(addsuffix .fsv_meta,$(fsverity-metadata-targets)) +# Generate BuildManifest.apk FSVERITY_APK_KEY_PATH := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) -FSVERITY_APK_MANIFEST_TEMPLATE_PATH := system/security/fsverity/AndroidManifest.xml - -# Generate and install BuildManifest.apk for the given partition -# $(1): path of the output APK -# $(2): partition name -define fsverity-generate-and-install-manifest-apk -fsverity-metadata-targets-$(2) := $(filter $(PRODUCT_OUT)/$(2)/%,\ - $(fsverity-metadata-targets)) -$(1): PRIVATE_FSVERITY := $(HOST_OUT_EXECUTABLES)/fsverity -$(1): PRIVATE_AAPT2 := $(HOST_OUT_EXECUTABLES)/aapt2 -$(1): PRIVATE_MIN_SDK_VERSION := $(DEFAULT_APP_TARGET_SDK) -$(1): PRIVATE_VERSION_CODE := $(PLATFORM_SDK_VERSION) -$(1): PRIVATE_VERSION_NAME := $(APPS_DEFAULT_VERSION_NAME) -$(1): PRIVATE_APKSIGNER := $(HOST_OUT_EXECUTABLES)/apksigner -$(1): PRIVATE_MANIFEST := $(FSVERITY_APK_MANIFEST_TEMPLATE_PATH) -$(1): PRIVATE_FRAMEWORK_RES := $(call intermediates-dir-for,APPS,framework-res,,COMMON)/package-export.apk -$(1): PRIVATE_KEY := $(FSVERITY_APK_KEY_PATH) -$(1): PRIVATE_INPUTS := $$(fsverity-metadata-targets-$(2)) -$(1): PRIVATE_ASSETS := $(call intermediates-dir-for,ETC,build_manifest-$(2))/assets -$(1): $(HOST_OUT_EXECUTABLES)/fsverity_manifest_generator \ +FSVERITY_APK_OUT := $(TARGET_OUT)/etc/security/fsverity/BuildManifest.apk +FSVERITY_APK_MANIFEST_PATH := system/security/fsverity/AndroidManifest.xml +$(FSVERITY_APK_OUT): PRIVATE_FSVERITY := $(HOST_OUT_EXECUTABLES)/fsverity +$(FSVERITY_APK_OUT): PRIVATE_AAPT2 := $(HOST_OUT_EXECUTABLES)/aapt2 +$(FSVERITY_APK_OUT): PRIVATE_MIN_SDK_VERSION := $(DEFAULT_APP_TARGET_SDK) +$(FSVERITY_APK_OUT): PRIVATE_VERSION_CODE := $(PLATFORM_SDK_VERSION) +$(FSVERITY_APK_OUT): PRIVATE_VERSION_NAME := $(APPS_DEFAULT_VERSION_NAME) +$(FSVERITY_APK_OUT): PRIVATE_APKSIGNER := $(HOST_OUT_EXECUTABLES)/apksigner +$(FSVERITY_APK_OUT): PRIVATE_MANIFEST := $(FSVERITY_APK_MANIFEST_PATH) +$(FSVERITY_APK_OUT): PRIVATE_FRAMEWORK_RES := $(call intermediates-dir-for,APPS,framework-res,,COMMON)/package-export.apk +$(FSVERITY_APK_OUT): PRIVATE_KEY := $(FSVERITY_APK_KEY_PATH) +$(FSVERITY_APK_OUT): PRIVATE_INPUTS := $(fsverity-metadata-targets) +$(FSVERITY_APK_OUT): PRIVATE_ASSETS := $(call intermediates-dir-for,ETC,build_manifest)/assets +$(FSVERITY_APK_OUT): $(HOST_OUT_EXECUTABLES)/fsverity_manifest_generator \ $(HOST_OUT_EXECUTABLES)/fsverity $(HOST_OUT_EXECUTABLES)/aapt2 \ - $(HOST_OUT_EXECUTABLES)/apksigner $(FSVERITY_APK_MANIFEST_TEMPLATE_PATH) \ + $(HOST_OUT_EXECUTABLES)/apksigner $(FSVERITY_APK_MANIFEST_PATH) \ $(FSVERITY_APK_KEY_PATH).x509.pem $(FSVERITY_APK_KEY_PATH).pk8 \ $(call intermediates-dir-for,APPS,framework-res,,COMMON)/package-export.apk \ - $$(fsverity-metadata-targets-$(2)) - rm -rf $$(PRIVATE_ASSETS) - mkdir -p $$(PRIVATE_ASSETS) -ifdef fsverity-metadata-targets-$(2) - $$< --fsverity-path $$(PRIVATE_FSVERITY) \ - --base-dir $$(PRODUCT_OUT) \ - --output $$(PRIVATE_ASSETS)/build_manifest.pb \ - $$(PRIVATE_INPUTS) -endif # fsverity-metadata-targets-$(2) - $$(PRIVATE_AAPT2) link -o $$@ \ - -A $$(PRIVATE_ASSETS) \ - -I $$(PRIVATE_FRAMEWORK_RES) \ - --min-sdk-version $$(PRIVATE_MIN_SDK_VERSION) \ - --version-code $$(PRIVATE_VERSION_CODE) \ - --version-name $$(PRIVATE_VERSION_NAME) \ - --manifest $$(PRIVATE_MANIFEST) \ - --rename-manifest-package com.android.security.fsverity_metadata.$(2) - $$(PRIVATE_APKSIGNER) sign --in $$@ \ - --cert $$(PRIVATE_KEY).x509.pem \ - --key $$(PRIVATE_KEY).pk8 - -ALL_DEFAULT_INSTALLED_MODULES += $(1) - -endef # fsverity-generate-and-install-manifest-apk - -$(eval $(call fsverity-generate-and-install-manifest-apk, \ - $(TARGET_OUT)/etc/security/fsverity/BuildManifest.apk,system)) -ifdef BUILDING_SYSTEM_EXT_IMAGE - $(eval $(call fsverity-generate-and-install-manifest-apk, \ - $(TARGET_OUT_SYSTEM_EXT)/etc/security/fsverity/BuildManifest.apk,system_ext)) -endif -ifdef BUILDING_VENDOR_IMAGE - $(eval $(call fsverity-generate-and-install-manifest-apk, \ - $(TARGET_OUT_VENDOR)/etc/security/fsverity/BuildManifest.apk,vendor)) -endif -ifdef BUILDING_ODM_IMAGE - $(eval $(call fsverity-generate-and-install-manifest-apk, \ - $(TARGET_OUT_ODM)/etc/security/fsverity/BuildManifest.apk,odm)) -endif -ifdef BUILDING_PRODUCT_IMAGE - $(eval $(call fsverity-generate-and-install-manifest-apk, \ - $(TARGET_OUT_PRODUCT)/etc/security/fsverity/BuildManifest.apk,product)) -endif - -endif # PRODUCT_FSVERITY_GENERATE_METADATA - - -# ----------------------------------------------------------------- -# system image + $(fsverity-metadata-targets) + rm -rf $(PRIVATE_ASSETS) + mkdir -p $(PRIVATE_ASSETS) + $< --fsverity-path $(PRIVATE_FSVERITY) \ + --base-dir $(PRODUCT_OUT) \ + --output $(PRIVATE_ASSETS)/build_manifest.pb \ + $(PRIVATE_INPUTS) + $(PRIVATE_AAPT2) link -o $@ \ + -A $(PRIVATE_ASSETS) \ + -I $(PRIVATE_FRAMEWORK_RES) \ + --min-sdk-version $(PRIVATE_MIN_SDK_VERSION) \ + --version-code $(PRIVATE_VERSION_CODE) \ + --version-name $(PRIVATE_VERSION_NAME) \ + --manifest $(PRIVATE_MANIFEST) + $(PRIVATE_APKSIGNER) sign --in $@ \ + --cert $(PRIVATE_KEY).x509.pem \ + --key $(PRIVATE_KEY).pk8 + +ALL_DEFAULT_INSTALLED_MODULES += $(FSVERITY_APK_OUT) + +endif # PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA INSTALLED_FILES_OUTSIDE_IMAGES := $(filter-out $(TARGET_OUT)/%, $(INSTALLED_FILES_OUTSIDE_IMAGES)) INTERNAL_SYSTEMIMAGE_FILES := $(sort $(filter $(TARGET_OUT)/%, \ diff --git a/core/product.mk b/core/product.mk index 277fa7444b..ee2fa5a4b8 100644 --- a/core/product.mk +++ b/core/product.mk @@ -356,12 +356,15 @@ _product_single_value_vars += PRODUCT_INSTALL_EXTRA_FLATTENED_APEXES # This option is only meant to be set by compliance GSI targets. _product_single_value_vars += PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT -# If set, fsverity metadata files will be generated for each files in the -# allowlist, plus an manifest APK per partition. For example, -# /system/framework/service.jar will come with service.jar.fsv_meta in the same -# directory; the file information will also be included in -# /system/etc/security/fsverity/BuildManifest.apk -_product_single_value_vars += PRODUCT_FSVERITY_GENERATE_METADATA +# If set, metadata files for the following artifacts will be generated. +# - system/framework/*.jar +# - system/framework/oat/<arch>/*.{oat,vdex,art} +# - system/etc/boot-image.prof +# - system/etc/dirty-image-objects +# One fsverity metadata container file per one input file will be generated in +# system.img, with a suffix ".fsv_meta". e.g. a container file for +# "/system/framework/foo.jar" will be "system/framework/foo.jar.fsv_meta". +_product_single_value_vars += PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA # If true, sets the default for MODULE_BUILD_FROM_SOURCE. This overrides # BRANCH_DEFAULT_MODULE_BUILD_FROM_SOURCE but not an explicitly set value. |